From 4033c72fef8b3d92e6329675ab40ce55beb32c9a Mon Sep 17 00:00:00 2001 From: 0xLanks Date: Wed, 4 May 2022 21:41:03 -0700 Subject: [PATCH 1/9] Added 'SameSite=Strict' cookie attribute, reducing overall CSRF attack surface --- BlogEngine/BlogEngine.NET/Global.asax | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/BlogEngine/BlogEngine.NET/Global.asax b/BlogEngine/BlogEngine.NET/Global.asax index 0056bc608..2fd043a71 100644 --- a/BlogEngine/BlogEngine.NET/Global.asax +++ b/BlogEngine/BlogEngine.NET/Global.asax @@ -12,4 +12,17 @@ { BlogEngineConfig.SetCulture(sender, e); } + + protected void Application_PreSendRequestHeaders () + { + var httpContext = HttpContext.Current; + if (httpContext != null) { + var cookieValueSuffix = "; SameSite=Strict"; + var cookies = httpContext.Response.Cookies; + for (var i = 0; i < cookies.Count; i++) + { + var cookie = cookies[i]; cookie.Value += cookieValueSuffix; + } + } + } \ No newline at end of file From 16343de33f2f064ff9b9a27fceb168871ec6a3fd Mon Sep 17 00:00:00 2001 From: 0xLanks Date: Wed, 4 May 2022 21:44:22 -0700 Subject: [PATCH 2/9] Fixed XXE vulnerability when importing a new blog --- .../Services/Syndication/BlogML/BlogReader.cs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/BlogEngine/BlogEngine.Core/Services/Syndication/BlogML/BlogReader.cs b/BlogEngine/BlogEngine.Core/Services/Syndication/BlogML/BlogReader.cs index 8d81ad0ce..0ed4b4b58 100644 --- a/BlogEngine/BlogEngine.Core/Services/Syndication/BlogML/BlogReader.cs +++ b/BlogEngine/BlogEngine.Core/Services/Syndication/BlogML/BlogReader.cs @@ -53,13 +53,15 @@ public string XmlData /// /// Gets an XmlReader that converts BlogML data saved as string into XML stream /// - private XmlTextReader XmlReader + private XmlReader XmlReader { get { var byteArray = Encoding.UTF8.GetBytes(this.xmlData); var stream = new MemoryStream(byteArray); - return new XmlTextReader(stream); + XmlReaderSettings settings = new XmlReaderSettings(); + settings.XmlResolver = null; + return XmlReader.Create(stream, settings); } } From 035bc377694aeb95df010cd98538a7e7f8424498 Mon Sep 17 00:00:00 2001 From: 0xLanks Date: Wed, 4 May 2022 21:49:36 -0700 Subject: [PATCH 3/9] Fixed authorization controls on controller actions and added path sanitization preventing path traversal --- .../AppCode/Api/FileManagerController.cs | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/BlogEngine/BlogEngine.NET/AppCode/Api/FileManagerController.cs b/BlogEngine/BlogEngine.NET/AppCode/Api/FileManagerController.cs index cebca856a..e3fa41b96 100644 --- a/BlogEngine/BlogEngine.NET/AppCode/Api/FileManagerController.cs +++ b/BlogEngine/BlogEngine.NET/AppCode/Api/FileManagerController.cs @@ -1,4 +1,5 @@ -using BlogEngine.Core.Data.Contracts; +using BlogEngine.Core; +using BlogEngine.Core.Data.Contracts; using BlogEngine.Core.FileSystem; using BlogEngine.Core.Providers; using System; @@ -24,6 +25,11 @@ public IEnumerable Get(int take = 10, int skip = 0, string path = [HttpPut] public HttpResponseMessage ProcessChecked([FromBody]List items) { + if (!Security.IsAdministrator) + { + throw new UnauthorizedAccessException(); + } + if (items == null || items.Count == 0) throw new HttpResponseException(HttpStatusCode.ExpectationFailed); @@ -36,10 +42,10 @@ public HttpResponseMessage ProcessChecked([FromBody]List items) if (item.IsChecked) { if(item.FileType == FileType.File || item.FileType == FileType.Image) - BlogService.DeleteFile(item.FullPath); + BlogService.DeleteFile(Extensions.SanitizePath(item.FullPath)); if (item.FileType == FileType.Directory) - BlogService.DeleteDirectory(item.FullPath); + BlogService.DeleteDirectory(Extensions.SanitizePath(item.FullPath)); } } } @@ -49,7 +55,11 @@ public HttpResponseMessage ProcessChecked([FromBody]List items) [HttpPut] public HttpResponseMessage AddFolder(FileInstance folder) { - BlogService.CreateDirectory(folder.FullPath + "/" + folder.Name); + if (!Security.IsAdministrator) + { + throw new UnauthorizedAccessException(); + } + BlogService.CreateDirectory(Extensions.SanitizePath(folder.FullPath) + "/" + Extensions.SanitizePath(folder.Name)); return Request.CreateResponse(HttpStatusCode.OK); } From 61daddf431ea0b1ca30297ee6b368955b5313c72 Mon Sep 17 00:00:00 2001 From: tree-chtsec Date: Mon, 24 Oct 2022 13:08:16 +0800 Subject: [PATCH 4/9] fix CVE-2022-41418 --- BlogEngine/BlogEngine.Core/Data/UsersRepository.cs | 3 +++ BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/BlogEngine/BlogEngine.Core/Data/UsersRepository.cs b/BlogEngine/BlogEngine.Core/Data/UsersRepository.cs index 605100963..a574298e4 100644 --- a/BlogEngine/BlogEngine.Core/Data/UsersRepository.cs +++ b/BlogEngine/BlogEngine.Core/Data/UsersRepository.cs @@ -98,6 +98,9 @@ public BlogUser Add(BlogUser user) if (!Security.IsAuthorizedTo(Rights.CreateNewUsers)) throw new UnauthorizedAccessException(); + if (user.UserName.Contains("/") || user.UserName.Contains(@"\")) + throw new ApplicationException("Error adding new user; Invalid character detected in UserName"); + // create user var usr = Membership.CreateUser(user.UserName, user.Password, user.Email); if (usr == null) diff --git a/BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs b/BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs index ad6b01192..688ada454 100644 --- a/BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs +++ b/BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs @@ -64,6 +64,8 @@ public HttpResponseMessage Post(string action, string dirPath = "") dir = BlogService.GetDirectory("/avatars"); var dot = fileName.LastIndexOf("."); var ext = dot > 0 ? fileName.Substring(dot) : ""; + if (User.Identity.Name.Contains("/") || User.Identity.Name.Contains(@"\")) + throw new ApplicationException("Invalid character detected in UserName"); var profileFileName = User.Identity.Name + ext; var imgPath = HttpContext.Current.Server.MapPath(dir.FullPath + "/" + profileFileName); @@ -157,4 +159,4 @@ private void UploadVideo(string virtualFolder, HttpPostedFile file, string fileN } #endregion -} \ No newline at end of file +} From 9a8a7e3d56016ef16a4ac998e820f7c3d6973d74 Mon Sep 17 00:00:00 2001 From: tree-chtsec Date: Mon, 24 Oct 2022 13:36:54 +0800 Subject: [PATCH 5/9] fix CVE-2022-41417. But GetDirectory() will create folder if not exists by design. The problem exists in ~/App_Data/Files/ despite this fix. --- .../Providers/FileSystemProviders/XmlFileSystemProvider.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BlogEngine/BlogEngine.Core/Providers/FileSystemProviders/XmlFileSystemProvider.cs b/BlogEngine/BlogEngine.Core/Providers/FileSystemProviders/XmlFileSystemProvider.cs index e45cb6c03..0c6b263ed 100644 --- a/BlogEngine/BlogEngine.Core/Providers/FileSystemProviders/XmlFileSystemProvider.cs +++ b/BlogEngine/BlogEngine.Core/Providers/FileSystemProviders/XmlFileSystemProvider.cs @@ -28,7 +28,7 @@ private static string BlogAbsolutePath(string VirtualPath) private static string RelativeFilePath(string VirtualPath) { VirtualPath = VirtualPath.Replace("//","/").Trim(); - if (VirtualPath.ToLower().Contains(FileContainerRoot.ToLower())) + if (VirtualPath.ToLower().Contains(FileContainerRoot.ToLower()+"/") || VirtualPath.ToLower() == FileContainerRoot.ToLower()) return VirtualPath; // ex: Oct 18 2012, added this to handle the case on the File Manager where if From 43d25d881ea24192fc9c119be9759d30aaf30f5d Mon Sep 17 00:00:00 2001 From: farzindev Date: Thu, 12 Jan 2023 22:28:13 +0330 Subject: [PATCH 6/9] fix --- README.md | 82 +++++++++++++++++++++++++------------------------------ 1 file changed, 37 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index 821bd4d60..8fd9a3fad 100644 --- a/README.md +++ b/README.md @@ -1,67 +1,59 @@ -This repository provides latest source code for BlogEngine.NET project. -
+

+ BlogEngine is an open source blogging platform since 2007. Easily customizable. Many free built-in Themes, Widgets, and Plugins. +


- -BlogEngine Website -   - -BlogEgnien Features -   - -BlogEngine Themes -   - -BlogEngine Docs -   - -BlogEngine Donate - +- **[Website](https://blogengine.io/)** +- **[Docs](https://blogengine.io/support/get-started/)** +- **[Themes](https://blogengine.io/Themes)** +- **[Custom Design Theme](https://blogengine.io/)** +- **[Contact us](https://blogengine.io/)** +


+## Get Started +1. Requirements + You need a Windows Hosting that supports ASP.NET 4.5 and above. +2. Download + Get the latest BlogEngine and extract the zip file on the root of your website. +3. Write Permissions + Add write permissions to the App_Data and Custom folders on your server. -# Installation +4. Done + Navigate to admin panel by adding /admin/ to your website's URL. + For example: https://yourwebsite.com/admin/
+ Username: admin
+ Password: admin
+

-There are two download options for BlogEngine.NET: +## Development -### 1. Web Project -This is an ideal option that you just need to download and copy BlogEngine files on your website and then everything is ready: +Environment: -Requirements: - * ASP.NET 4.5 + +- Visual Studio +- ASP.NET 4.5+ Steps: -1. **[Download](https://github.com/rxtur/BlogEngine.NET/releases/download/v3.3.6.0/3360.zip)** and extract zip file on root of your website. -2. Add write permissions to the `App_Data` and `Custom` folder. -3. Installation is done. -4. You can navigate to administration by adding `/admin/` to your website's URL, for example: `http://yourblog.com/admin/` -5. Username: `admin` Password `admin` - -### 2. Source Code -This is the developer option. If you are interested is seeing how things work or want to add to the functionality, this is your option. +- Clone repository +- Open solution in Visual Studio 2015 + +- Build and run solution to load website in the browser +- You can navigate to administration on: http://localhost:64079/admin/ +- Username: admin Password admin +

-Environment: - * Visual Studio 2015 + - * ASP.NET 4.5 + - -Steps: - 1. Clone repository - 2. Open solution in Visual Studio 2015 + - 3. Build and run solution to load website in the browser - 4. You can navigate to administration on: `http://localhost:64079/admin/` - 5. Username: `admin` Password `admin` +## Security Update -### 3. Security Update After install, update `machineKey` in `Web.config` with values generated with tool [like this](https://www.allkeysgenerator.com/Random/ASP-Net-MachineKey-Generator.aspx). This will prevent known exploit (reported Sep 2019). This only effects if you use default `admin` account. +

-# Screenshot -More screenshots on the [website](https://blogengine.io). +## Copyright and License -![dashboard-3](https://cloud.githubusercontent.com/assets/1932785/11760070/0012f9d8-a052-11e5-84a8-e9097cb85f23.png) +Code released under the MS-RL License. Docs released under Creative Commons.
+Copyright 2007–2023 BlogEngine From 9742bb7a5b8b430ff4dd5820a9151a7216385893 Mon Sep 17 00:00:00 2001 From: farzindev Date: Thu, 12 Jan 2023 22:40:48 +0330 Subject: [PATCH 7/9] fix --- README.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 8fd9a3fad..a1261103f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@

- BlogEngine is an open source blogging platform since 2007. Easily customizable. Many free built-in Themes, Widgets, and Plugins. + BlogEngine is an open source blogging platform since 2007.
Easily customizable. Many free built-in Themes, Widgets, and Plugins.


@@ -9,10 +9,8 @@ - **[Themes](https://blogengine.io/Themes)** - **[Custom Design Theme](https://blogengine.io/)** - **[Contact us](https://blogengine.io/)** - -
-
-
+
+
## Get Started From d0460d14661a871220d3513ac21aa5c70a6a6ac0 Mon Sep 17 00:00:00 2001 From: farzindev Date: Thu, 12 Jan 2023 22:47:52 +0330 Subject: [PATCH 8/9] fix url --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a1261103f..6e00502c2 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ - **[Website](https://blogengine.io/)** - **[Docs](https://blogengine.io/support/get-started/)** -- **[Themes](https://blogengine.io/Themes)** +- **[Themes](https://blogengine.io/themes/)** - **[Custom Design Theme](https://blogengine.io/)** - **[Contact us](https://blogengine.io/)**
From 95c84261ed94402f45094c1fda85afbbf6f4d833 Mon Sep 17 00:00:00 2001 From: farzindev Date: Thu, 12 Jan 2023 22:48:22 +0330 Subject: [PATCH 9/9] fix url --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6e00502c2..e25437ff2 100644 --- a/README.md +++ b/README.md @@ -7,8 +7,8 @@ - **[Website](https://blogengine.io/)** - **[Docs](https://blogengine.io/support/get-started/)** - **[Themes](https://blogengine.io/themes/)** -- **[Custom Design Theme](https://blogengine.io/)** -- **[Contact us](https://blogengine.io/)** +- **[Custom Design Theme](https://blogengine.io/themes/custom/)** +- **[Contact us](https://blogengine.io/support/)**